23andMe, the well-known genomics company, has been in a downward spiral ever since it suffered a fairly catastrophic data breach last year. Ever since then, the company, which is headed by Sergei Brin’s ex-wife, Anne Wojcicki, has been enduring a maelstrom of controversy. Litigation, layoffs, and financial devastation have marred the business’s operations. As such, a lot of the company’s customers are looking to cut and run. Understandably, people want to delete their accounts and purge whatever data the company has on them. Unfortunately, 23andMe isn’t really going to delete all of your data.
Oh, sure, you can delete your account. There is a tutorial on the company’s website explaining how to do it. However, MIT Technology Review reports that, while the company will technically erase your account, it plans to hang onto a chunk of the information associated with it. For instance, if you’ve previously consented to sharing your anonymized genetic data with third parties, there’s no way for you to delete that information. At the same time, the company will also retain a vague amount of your genetic information, as well as information about your sex, birthday, email address, and details about your account deletion request, MIT writes. According to 23andMe’s privacy policy, it retains your genetic and birthday information to fulfill regulatory requirements.
In short, the company will maintain evidence that your account existed, along with easily identifiable information (your DOB), your email contact, and, again, some amount of your genetic information.
If you would like to delete your account, you can do it through your Account Settings tab. Some identity verification may be necessary for you to complete this stage of the deletion request. You’ll get an email from the company asking for a confirmation that you want to delete your account. If you go through with the deletion process, the company notes that, once you’ve confirmed your decision, you won’t be able to go back on it.
When reached for comment by Gizmodo, a 23andMe spokesperson provided a statement that reads, in part:
We have strong customer privacy protections in place. 23andMe does not share customer data with third parties without customers’ consent, and our Research program is opt-in, requiring customers to go through a separate, informed consent process before joining. Further, 23andMe Research is overseen by an outside Institutional Review Board, ensuring we meet the high ethical standards for the research we conduct. Roughly 80% of 23andMe customers consent to participate in our research program, which has generated more than 270 peer reviewed publications uncovering hundreds of new genetic insights into disease.
As to the issue of data maintained after accounts are deleted, the spokesperson said:
While we will delete the majority of a customer’s Personal Information following an account deletion request, our genotyping labs are required to retain some information to comply with our legal obligations. That information includes a customer’s age, sex and a subset of uninterpreted raw genetic data…
23andMe’s data breach was first reported in October of 2023 when customer data showed up on the dark web. At the time, 23andMe told the public that only about 14,000 accounts had been impacted by the breach. However, later investigation revealed that, due to an internal data-sharing feature linked to those accounts, the real number of impacted people was probably something like 6.9 million. In September of this year, 23andMe agreed to pay out a $30 million settlement related to the breach. Last month, after it was announced that Wojcicki would attempt to take the company private, all of 23andMe’s independent directors resigned from the company’s board.
Read the full article here